NFC-47 Path to static resources clearer. Remove filter paths permit. WebEidChallengeNonceFilter to post. Index js method to POST with csrf. Remove @secured and @EnableMethodSecurity. Remove WebMvcConfigurer and view controllers from ApplicationConfiguration. Return auth_uri as JSON map. Constant name to OBJECT_MAPPER. Remove unnecessary shouldNotFilterAsyncDispatch override. Inline CSRF token and header directly in login page script. Show mobileAuthError message on login page.

Author: SanderKondratjevNortal

example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java

@@ -29,12 +29,10 @@
 import eu.webeid.example.security.ui.WebEidLoginPageGeneratingFilter;
 import eu.webeid.security.challenge.ChallengeNonceGenerator;
 import eu.webeid.security.challenge.ChallengeNonceStore;
-import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
-import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
@@ -43,13 +41,10 @@
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
 import org.springframework.security.web.csrf.CsrfFilter;
-import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @Configuration
 @EnableWebSecurity
-@EnableMethodSecurity(securedEnabled = true)
-public class ApplicationConfiguration implements WebMvcConfigurer {
+public class ApplicationConfiguration {
 
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider, AuthenticationConfiguration authConfig, ChallengeNonceGenerator challengeNonceGenerator, ChallengeNonceStore challengeNonceStore) throws Exception {
@@ -58,14 +53,12 @@ public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthentica
 
         return http
             .authorizeHttpRequests(auth -> auth
-                .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
+                .requestMatchers("/css/**", "/js/**", "/images/**", "/webjars/**", "/favicon.*", "/icon-*").permitAll()
                 .requestMatchers("/", "/error").permitAll()
                 .requestMatchers(HttpMethod.GET, "/auth/eid/login").permitAll()
-                .requestMatchers("/auth/challenge").permitAll()
-                .requestMatchers(HttpMethod.POST, "/auth/mobile/auth/init").permitAll()
                 .requestMatchers("/auth/login").permitAll()
                 .requestMatchers("/welcome").hasRole("USER")
-                .anyRequest().permitAll()
+                .anyRequest().authenticated()
             )
             .authenticationProvider(authTokenDTOAuthenticationProvider)
             .addFilterBefore(new WebEidLoginPageGeneratingFilter(), UsernamePasswordAuthenticationFilter.class)
@@ -76,10 +69,4 @@ public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthentica
             .logout(l -> l.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
             .build();
     }
-
-    @Override
-    public void addViewControllers(ViewControllerRegistry registry) {
-        registry.addViewController("/").setViewName("index");
-        registry.addViewController("/welcome").setViewName("welcome");
-    }
 }

example/src/main/java/eu/webeid/example/security/WebEidChallengeNonceFilter.java

@@ -1,24 +1,4 @@
-/*
- * Copyright (c) 2020-2025 Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
+
 
 package eu.webeid.example.security;
 
@@ -42,7 +22,7 @@ public final class WebEidChallengeNonceFilter extends OncePerRequestFilter {
 
     private static final ObjectWriter JSON = new ObjectMapper().writer();
     private final RequestMatcher matcher =
-        PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.GET, "/auth/challenge");
+            PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, "/auth/challenge");
 
     private final ChallengeNonceGenerator nonceGenerator;
 

example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java

@@ -23,7 +23,6 @@
 package eu.webeid.example.security;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
-import eu.webeid.example.service.dto.MobileAuthInitResponse;
 import eu.webeid.security.challenge.ChallengeNonceGenerator;
 import eu.webeid.security.challenge.ChallengeNonceStore;
 import jakarta.servlet.FilterChain;
@@ -43,9 +42,9 @@
 import java.util.Map;
 
 public final class WebEidMobileAuthInitFilter extends OncePerRequestFilter {
-    private static final ObjectMapper MAPPER = new ObjectMapper();
+    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
     private final RequestMatcher matcher =
-            PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, "/auth/mobile/auth/init");
+        PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, "/auth/mobile/auth/init");
 
     private final ChallengeNonceGenerator nonceGenerator;
     private final ChallengeNonceStore challengeNonceStore;
@@ -69,21 +68,16 @@ protected void doFilterInternal(@NonNull HttpServletRequest request,
         challengeNonceStore.put(challenge);
 
         String loginUri = ServletUriComponentsBuilder.fromCurrentContextPath()
-                .path("/auth/eid/login").build().toUriString();
+            .path("/auth/eid/login").build().toUriString();
 
-        String payloadJson = MAPPER.writeValueAsString(Map.of(
-                "challenge", challenge.getBase64EncodedNonce(),
-                "login_uri", loginUri
+        String payloadJson = OBJECT_MAPPER.writeValueAsString(Map.of(
+            "challenge", challenge.getBase64EncodedNonce(),
+            "login_uri", loginUri
         ));
         String encoded = Base64.getEncoder().encodeToString(payloadJson.getBytes(StandardCharsets.UTF_8));
         String eidAuthUri = "web-eid-mobile://auth#" + encoded;
 
         response.setContentType("application/json");
-        MAPPER.writeValue(response.getWriter(), new MobileAuthInitResponse(eidAuthUri));
-    }
-
-    @Override
-    protected boolean shouldNotFilterAsyncDispatch() {
-        return false;
+        OBJECT_MAPPER.writeValue(response.getWriter(), Map.of("auth_uri", eidAuthUri));
     }
 }

example/src/main/java/eu/webeid/example/security/ui/WebEidLoginPageGeneratingFilter.java

@@ -46,8 +46,6 @@ public final class WebEidLoginPageGeneratingFilter extends OncePerRequestFilter
             <head>
               <meta charset="utf-8">
               <title>Signing you in…</title>
-              <meta id="csrftoken" content="%s"/>
-              <meta id="csrfheadername" content="%s"/>
             </head>
             <body>
             <script>
@@ -62,16 +60,13 @@ public final class WebEidLoginPageGeneratingFilter extends OncePerRequestFilter
                 return;
               }
 
-              const csrfToken = document.querySelector('#csrftoken').content;
-              const csrfHeaderName = document.querySelector('#csrfheadername').content;
-
               const authToken = payload["auth-token"] ?? payload;
 
               fetch("/auth/login", {
                 method: "POST",
                 headers: {
                   "Content-Type": "application/json",
-                  [csrfHeaderName]: csrfToken
+                  "%s": "%s"
                 },
                 body: JSON.stringify({ "auth-token": authToken }),
                 credentials: "include"
@@ -82,7 +77,10 @@ public final class WebEidLoginPageGeneratingFilter extends OncePerRequestFilter
               })
               .catch(e => {
                 console.error("Login failed", e);
-                window.location.replace("/?mobileAuthError=login_failed");
+                const errorDiv = document.createElement("div");
+                errorDiv.style.color = "red";
+                errorDiv.textContent = "Authentication failed.";
+                document.body.appendChild(errorDiv);
               });
             })();
             </script>
@@ -93,7 +91,7 @@ public final class WebEidLoginPageGeneratingFilter extends OncePerRequestFilter
 
     @Override
     protected void doFilterInternal(@NonNull HttpServletRequest request, @NonNull HttpServletResponse response, @NonNull FilterChain chain)
-            throws IOException, ServletException {
+        throws IOException, ServletException {
         if (!requestMatcher.matches(request)) {
             chain.doFilter(request, response);
             return;
@@ -108,8 +106,8 @@ protected void doFilterInternal(@NonNull HttpServletRequest request, @NonNull Ht
         }
 
         String html = generateHtml(
-                csrf != null ? csrf.getToken() : "",
-                csrf != null ? csrf.getHeaderName() : "X-CSRF-TOKEN"
+            csrf != null ? csrf.getToken() : "",
+            csrf != null ? csrf.getHeaderName() : "X-CSRF-TOKEN"
         );
 
         response.setContentType("text/html;charset=UTF-8");

example/src/main/java/eu/webeid/example/web/WelcomeController.java

@@ -24,18 +24,14 @@
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.security.access.annotation.Secured;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
 
 import java.security.Principal;
 import java.util.Objects;
 
-import static eu.webeid.example.security.AuthTokenDTOAuthenticationProvider.ROLE_USER;
-
 @Controller
-@Secured(ROLE_USER)
 public class WelcomeController {
     private static final Logger LOG = LoggerFactory.getLogger(WelcomeController.class);
 

example/src/main/resources/templates/index.html

@@ -280,8 +280,12 @@ <h3><a id="for-developers"></a>For developers</h3>
           }
 
           const challengeResponse = await fetch("/auth/challenge", {
-            method: "GET",
-            headers: { "Content-Type": "application/json" }
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    [csrfHeaderName]: csrfToken
+                },
+                credentials: "include"
             });
             await checkHttpError(challengeResponse);
             const {nonce} = await challengeResponse.json();